Making kactivitymanagerd removable

kactivitymanagerd is a problematic piece of software. Just try to Google it, and you will quickly find out about some of its problems.

However, bugs are not what I want to speak about here. The whole premise of kactivitymanagerd is considered by some, including me, as reduntant at best, privacy-destroying at worst.

kactivitymanagerd’s raison d’etre is to give other programs information about the current activity of the computer’s user. I consider this a security vulnerability. For example, this could help spyware with spying, or cause privilege escalation by giving a malware information when to launch an illegitimate “administrative privileges needed” prompt. While several anonymity-oriented distros separate running programs using sometimes extreme measures, such us VMs, KDE (I understand that KDE is not a distro) goes in the opposite direction – it has this daemon, purpose of which is to give other programs potentially sensitive information about the user.

In several distros, including Debian and Ubuntu, kactivitymanagerd is a dependecy of Plasma itself. I assume this dependecy relationship also exists in the original Plasma. (By “original Plasma”, I mean the Plasma developed by KDE, as opposed to its packaged versions in various distros.)

I am not happy with being required to have kactivitymanagerd installed on my computer. Some users might want to keep kactivitymanagerd, so I am not proposing to eliminate it completely. I would rather like to propose making it optional (eliminating it as a dependency), at least in the very base of Plasma.

Would this be possible?

I find Activities very useful and still waiting someone could have time to fix the bugs that affect the functionality.

If you find this feature useless, then you can simply remove all the additional Activities and leave the default one only.
Find this in: System Settings → Apps and windows → Activity

“Activity” should be very different from “Desktop”, allowing to operate the system resources like as different PCs.

What’s your opinion ?

If you’re aware of how to go about an attack like this, please describe the methodology and/or a link to an analysis that has done so. Plasma does take security concerns seriously (see for instance the response to the recent executable theme content incident and resulting merge requests) but also the perceived threat has to be more specific than “knowing the current activity can help spyware”.

Be specific. What’s the sequence of steps that would result in an attack, that would not be possible if kactivitymanagerd were not installed? What would be the outcome and severity of this attack? How does it betray expectations of a reasonable but not necessarily security-conscious user? Is it possible in the default configuration, or did the user have to specifically opt into the behavior by changing settings? And is there a way to prevent this described attack by changing default behaviors, so that all users benefit from an increase in security, rather than a complete removal of the package which only a handful of users will ever even consider?